You are an audit team leader who has just completed a third-party audit of a...

PECB ISO-IEC-27001-Lead-Auditor Question Answer

You are an audit team leader who has just completed a third-party audit of a mobile telecommunication provider. You are preparing your audit report and are just about to complete a section headed 'confidentiality'.

An auditor in training on your team asks you if there are any circumstances under which the confidential report can be released to third parties.

Which four of the following responses are false?

Although we advise the client the report is confidential we can decide to release it to third parties if we feel this is justified. We would always tell the client afterwards

The report can be released to third parties but only with the explicit, prior approval of the audit client

There are no circumstances under which the report can be released to a third party. Confidential means confidential and releasing the document would be a breach of trust

The starting position is always that third parties have no automatic right to access an audit report

If the third party has gained a legal notice for us to disclose the report then we must do so. In all such cases we would advise the audit client and, as appropriate, the auditee

Any auditor employed by the auditing organisation can access the audit report

Our duty of confidentiality is not something that lasts forever. As a certification body, we can decide how long we wish to keep reports confidential. After this, they can be accessed by third parties making a subject access request

Explanation:

The audit report is a confidential document that contains sensitive information about the auditee’s ISMS and its performance. The audit team has a duty to protect the confidentiality of the audit report and only disclose it to authorized parties, such as the audit client, the certification body, and the accreditation body. Therefore, the following responses are false:

A: The audit team cannot decide to release the report to third parties without the consent of the audit client, as this would breach the confidentiality agreement and the audit code of conduct. The audit team should always inform the audit client before disclosing the report to any third party, and obtain their explicit, prior approval.

F: Not every auditor employed by the auditing organization can access the audit report, as this would violate the principle of need-to-know. Only auditors who are involved in the audit process, such as the audit team leader, the audit team members, the audit programme manager, and the certification decision maker, can access the audit report. Other auditors who are not related to the audit have no legitimate reason to access the report, and should be prevented from doing so by appropriate security measures.

G: The duty of confidentiality does not expire after a certain period of time, as this would compromise the trust and integrity of the audit process. The audit report remains confidential indefinitely, unless there is a legal or contractual obligation to disclose it, or the audit client agrees to release it. Third parties cannot access the audit report by making a subject access request, as this would infringe the privacy and data protection rights of the audit client and the auditee.

H: Subcontracted auditors are not considered to be third parties regarding confidentiality, as they are part of the audit team and have a contractual relationship with the auditing organization. Subcontracted auditors are typically bound by the same confidentiality agreement and audit code of conduct as the employed auditors, and have the same rights and responsibilities to access and protect the audit report.

References: =

ISO/IEC 27001:2022, clause 9.2, Internal audit

ISO/IEC 27006:2015, clause 7.2.3, Confidentiality

PECB Candidate Handbook ISO 27001 Lead Auditor, page 22, Audit Report

PECB Candidate Handbook ISO 27001 Lead Auditor, page 24, Audit Code of Conduct

PECB ISO-IEC-27001-Lead-Auditor View All Questions